CVE-2026-20069
Reflected XSS in Cisco ASA and FTD VPN Web Services
Publication date: 2026-03-04
Last updated on: 2026-03-04
Assigner: Cisco Systems, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| cisco | secure_firewall_adaptive_security_appliance | * |
| cisco | secure_firewall_threat_defense | * |
| cisco | secure_firewall_adaptive_security_appliance_asa_software | * |
| cisco | secure_firewall_threat_defense_ftd_software | * |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-444 | The product acts as an intermediary HTTP agent (such as a proxy or firewall) in the data flow between two entities such as a client and server, but it does not interpret malformed HTTP requests or responses in ways that are consistent with how the messages will be processed by those entities that are at the ultimate destination. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
[{'type': 'paragraph', 'content': 'This vulnerability affects the VPN web services component of Cisco Secure Firewall Adaptive Security Appliance (ASA) Software and Cisco Secure Firewall Threat Defense (FTD) Software. It is caused by improper validation of HTTP requests, which allows an unauthenticated remote attacker to perform browser-based attacks.'}, {'type': 'paragraph', 'content': "An attacker can exploit this by tricking a user into visiting a malicious website that sends crafted HTTP requests to a vulnerable Cisco device with VPN web services enabled. This can lead to reflected malicious input being sent back to the user's browser, enabling attacks such as cross-site scripting (XSS). However, the attacker cannot directly compromise the device itself."}] [1]
How can this vulnerability impact me? :
[{'type': 'paragraph', 'content': "The main impact of this vulnerability is on the users of affected devices rather than the devices themselves. An attacker can conduct browser-based attacks like cross-site scripting (XSS) by reflecting malicious input through the vulnerable device to the user's browser."}, {'type': 'paragraph', 'content': "This could lead to potential compromise of user sessions, theft of sensitive information, or execution of malicious scripts in the context of the user's browser. However, the attacker cannot directly affect the Cisco device or its operation."}] [1]
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
I don't know
How can this vulnerability be detected on my network or system? Can you suggest some commands?
To detect if your device is vulnerable to CVE-2026-20069, you should check the configuration of your Cisco Secure Firewall ASA or FTD device for specific VPN web services settings.
- Use the command `show running-config` on Cisco Secure Firewall ASA devices to verify if either of the following configurations are enabled:
- - Internet Key Exchange version 2 (IKEv2) Remote Access VPN with client services enabled (`crypto ikev2 enable client-services port`)
- - SSL VPN (`webvpn enable`)
For Cisco Secure FTD Software, check if remote access VPN features are enabled via Cisco Secure Firewall Management Center (FMC) or Device Manager (FDM). Devices configured to accept only IKEv2 Remote Access VPN without client services enabled are not vulnerable.
What immediate steps should I take to mitigate this vulnerability?
[{'type': 'paragraph', 'content': 'There are no workarounds available for this vulnerability. The immediate and recommended mitigation step is to upgrade your Cisco Secure Firewall ASA or FTD software to the fixed software releases provided by Cisco.'}, {'type': 'paragraph', 'content': "Cisco provides a Software Checker tool to identify affected releases and the earliest fixed versions. It is advised to consult Cisco's official security advisory page and follow their detailed upgrade guides and compatibility documents."}, {'type': 'paragraph', 'content': 'If you require assistance, contact Cisco Technical Assistance Center (TAC) for support and entitlement to free upgrades.'}] [1]